Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cb935c9a08224127…

MALICIOUS

Office (OLE)

18.0 KB Created: 2000-10-16 14:06:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: 0e1dacd1f80c451cfd0d77c3fb1b7fa4 SHA-1: fadcc5cbe4f301fd41a257faa851b7d2b1373c82 SHA-256: cb935c9a08224127a6d257e71680716244260b1f19e7db37768b7f0e70e69012
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as a legacy WordBasic macro virus by heuristics, indicating the presence of malicious macro code. The document body contains numerous metadata fields and embedded strings that are typical of older Word documents, but no explicit instructions or lures are present. The primary finding is the detection of legacy macro virus markers, suggesting an attempt to execute arbitrary code.

Heuristics 2

  • ClamAV: Win.Trojan.Simple-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Simple-8
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.